- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3819-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                   Bastien Roucariès
May 25, 2024                                  https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : fossil
Version        : 1:2.8-1+deb10u1
CVE ID         : CVE-2024-24795
Debian Bug     : 1070069

Fossil was broken by fixes of CVE-2024-24795 for apache2 package,
and needed an update.

As part of the security fix, the Apache webserver
mod_cgi module has stopped relaying the Content-Length field
of the HTTP reply header from the CGI programs back to the client
in cases where the connection is to be closed and the client
is able to read until end-of-file.

Fossil was fixed by reading the whole input,
re-allocating the input buffer to fit as more input is received,
instead of trusting the CONTENT_LENGTH variable.

For Debian 10 buster, this problem has been fixed in version
1:2.8-1+deb10u1.

We recommend that you upgrade your fossil packages.

For the detailed security status of fossil please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/fossil

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS